I love #infosec, but hate Skiddies

I love the Information Security world. I love the free flow of information, and the hard work of great people smarter and more amazing than I who fight every day for your privacy. I’m a hacker, I love to trick you into giving up your privacy, or working on breaking things.

one of the main problems I’ve seen in the current fighting in the interwebs, is that many new hackers try to fight for fame, or their 15 minutes, by releasing some DB. These “hackers” generally use cookie-cutter attacks that they copied off some forum or blog. we “affectionately” call them Script Kiddies (Skiddies) because they have no idea how the attacks they are using work, or WHY, but simply just try everything they can find and hope that SOMETHING sticks. This presents a few problems that I would like to outline.

Collateral Damage:
When a company is compromised, and the entire database is leaked publicly for the “lulz” you’re not really hurting the company. You hurt all the users, most of whom have no way to know that an attack happened, or that their account information just got leaked. Compounding that, many of those users reuse the same email/password or username/password combinations on multiple sites to make things easy. This now has impacted other potential customers and companies than the one you were targeting. Many who hack under the banner of Anonymous claim they are targeting companies and governments for corruption and they are trying to help the users, but by releasing the data in the manner that happens most often lately, they do the opposite.

Trust, or the Lack of:
Our industry is an industry of secrets. A secret is the most important and powerful weapon you can wield, and when you scream to the rooftops that you have no ability to keep a secret, you will not gain the trust of ANYONE. and you stand a great chance of losing any trust you have managed to aquire in a field where trust is everything.

Placing Bullseye on your back:
The last drawback I’ll cover regarding public release of data, is that you instantly place a target on your back. The government really seems to be working hard lately on busting hackers, so when you announce “HEY LOOK OVER HERE, I’M DOING ILLEGAL THINGS” all it does is get you in trouble.

I enjoy hacking as much as anyone else, I just worry that all the negative attention thats coming from skiddies is going to undo much of the hard work to bring hacking to the front lines as a legitimate industry.

Getting into InfoSec, Staying out of trouble

When people find out what I do for a hobby, I get very mixed reactions. Some people hear “Hacking” and think I’m an evil person trying to steal their Identity, Credit Card or any number of things for personal gain, and yet other’s approach with a more “ZOMG THATS KEWL!!!!!!!!ONE!!!!”. I’d like to say both reactions tend to get annoying, which has caused me to stop openly talking about InfoSec unless I know the person I’m talking to shares interest with me.

On my blog, I could care less if you agree with me or not… its my blog, you don’t like it? Leave. Makes no difference to me. However, what DOES bother me, is that it seems that 99% of people out there still don’t view InfoSec/Hacking as a needed function in business, and life.

One obsticle that faces anyone trying to break into the Security world is getting hands on knowledge, without breaking the law and putting a quick end to your hobby by ending up in jail. I’ve also heard that people cant set up a lab because they don’t have money for multiple computers, or cant risk breaking a desktop with a bad exploit. While I understand that, you ARE going to have to take some risks. These risks can be minimized by using a Virtualized Lab solution, I personally use VirtualBox and run any of the test hosts I would like. I even have a Virtual copy of my Real server so I can test the impact of Patches/Hacks on the virtual copy without causing downtime to the server itself.

VirtualBox gives you a lot of leverage to test things, while you will need to supply your own licenses for Windows (Microsoft does offer 90day demo versions of some of their products online). With a virtual host, you can then test any number of tools, commands, client side attacks, play to your hearts content because its YOUR system, how can it be wrong to break your own passwords, or steal your own facebook session? Its NOT. But just because you’re on a Virtual machine, DOESN”T mean it’s okay to hack into a website, or service you don’t own or have explicit permission from. Its one thing to steal a session ID from your Host, its another to brute-force against Facebook.com … they would likely press charges, even for you hacking only your own account, because your attack would put their other customers at risk of breach.

Pay attention to the Law of unintended consequences, Just because you didn’t MEAN to do something, doesn’t make it “okay”. I once was mentoring a kid, who came to me saying “I’m trying to brute force TELNET on this IP, but I can’t get in”. Instead of just simply offering help, I first looked at the target (which happened to be a BANK), then told the kid to make sure he actually does recon on his targets before he tries to randomly attack some host he found with an nmap scan. This is why I suggest working inside a Lab environment, you know your hosts, you have control of the boxes and its up to you. If you start looking to the internet for targets, you WILL put a bullseye on your own forehead.

What should you do if you accidently breach something you didn’t intend? Well… LEAKING it is a horrible idea. That’s one thing that has shocked me about the Anonymous community at large (and all the little sub factions). While some have honest intentions, the methods are wrong, and leave collateral damage everywhere. If you get tracked, and someone asks you if you did something, be forthcoming and offer to help fix the problem, or at least offer to SHOW them how you breached their security.

When I find a problem on my corporate wireless network, I bring it straight to the networking, and security teams, and work with them to show them the problems and scope. In turn, they ask me to find everything i can, because they don’t have the staff to spend 24/7 hunting for bugs or exploits on the corporate network while they are putting out fires from users downloading viruses and trying to secure the Intellectual Property.

Use encryption, and employ good passwords. Yes, I said passwords, pluralized. It is not enough to have a single strong password that you use for all your accounts. This is a topic for another time, but ties into staying out of trouble by making sure that any of the data you DO have is encrypted, and not readable to anyone who might breach you.

I would suggest picking your friends wisely and not making enemies. Not everyone in this business has your best interests in heart, and if you are really interested in InfoSec, you should practice the greatest trade secret (Keeping Secrets, starting with your own identity or personal information) Don’t go around screaming your name, don’t draw attention to yourself. and for heaven’s sake… if someone DOES help you, thank them. If they tell you confidential secrets…. don’t open your mouth. This community is tight knit and if you are found to be untrustworthy, word will spread within minutes and you will get no help from anyone again.

so the overall moral of the story. Set up a Lab (Virtual machines, or physical if you have the resources), make friends not enemies, and lastly, for the love of god, Keep your head out of your ass!